Chosen-Cipher Security of EPOC-2

At Eurocrypt’98, Okamoto and Uchiyama presented a new trapdoor (one-way) function based on factoring [5], while Fujisaki and Okamoto, at CRYPTO’99, showed a generic conversion from just oneway encryption to chosen-ciphertext secure encryption in the random oracle model [3]. We point out here that the result of combining both schemes, called EPOC-2, has a better efficiency in security reduction, more than would be expected from [3], that is, the chosen-cipher security of EPOC-2 is tightly reduced from factoring. 1 Chosen Ciphertext Security We recall the chosen-ciphertext security notion for asymmetric encryption following [4, 1]. In this security notion, we consider an adversary, A, that takes two stages, denoted find and guess. In the find stage, A takes publickey pk and returns two distinct messages, m0,m1, as well as string s (such as public information utilized in the next stage). A then takes in the guess stage the encryption of mb, denoted c∗ = Epk(mb), where b ∈ {0, 1} and the above information s. A then queries decryption oracle Dsk(·) with the only restriction that she can’t query the oracle on the challenge ciphertext c∗, and finally guesses b. The advantage of A is meant by how well she can guess value b. The random oracle version of this security notion is defined by allowing A to access a random oracle(s). We define by Ω a map family from an appropriate domain to an appropriate range. The domain and range depend on the target encryption scheme. Even if we choose two random functions with different domains or ranges, we just write, for convenience, the experiment as G,H ← Ω, instead of preparing two map families. We begin with some notations.